Affected versions of the cbor2 package are vulnerable to Information Disclosure due to the CBORDecoder state being reused without clearing shareable values between decode operations. In cbor2, CBORDecoder.decode_from_bytes() and the CBORDecoder.fp setter (including the C extension _CBORDecoder_set_fp and the pure-Python cbor2/_decoder.py implementation) do not reset the internal shareables list that stores tag 28 (shareable) values for later retrieval via tag 29 (sharedref), allowing those references to persist across separate messages.

Cbor2 5.6.0 fixes  issue that was causing a MemoryError when decoding large definite strings. It was due to the library attempting to allocate more memory than available, leading to a failure in memory allocation. The fix involves altering how the library manages memory allocation for large strings, thus preventing the MemoryError from being thrown and allowing the library to handle large strings correctly.
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542

Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Pycryptodome 3.20.0 addresses a vulnerability in the OAEP decryption process, which previously had a side-channel leakage issue. This vulnerability could potentially be exploited through a Manger attack, a type of cryptographic attack. The resolution of this issue enhances the security of the library, especially in its handling of OAEP decryption.
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd

Affected versions of the cbor2 package are vulnerable to Information Disclosure due to the CBORDecoder state being reused without clearing shareable values between decode operations. In cbor2, CBORDecoder.decode_from_bytes() and the CBORDecoder.fp setter (including the C extension _CBORDecoder_set_fp and the pure-Python cbor2/_decoder.py implementation) do not reset the internal shareables list that stores tag 28 (shareable) values for later retrieval via tag 29 (sharedref), allowing those references to persist across separate messages.

Cbor2 5.6.0 fixes  issue that was causing a MemoryError when decoding large definite strings. It was due to the library attempting to allocate more memory than available, leading to a failure in memory allocation. The fix involves altering how the library manages memory allocation for large strings, thus preventing the MemoryError from being thrown and allowing the library to handle large strings correctly.
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542

Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Affected versions of the cbor2 package are vulnerable to Information Disclosure due to the CBORDecoder state being reused without clearing shareable values between decode operations. In cbor2, CBORDecoder.decode_from_bytes() and the CBORDecoder.fp setter (including the C extension _CBORDecoder_set_fp and the pure-Python cbor2/_decoder.py implementation) do not reset the internal shareables list that stores tag 28 (shareable) values for later retrieval via tag 29 (sharedref), allowing those references to persist across separate messages.

Cbor2 5.6.0 fixes  issue that was causing a MemoryError when decoding large definite strings. It was due to the library attempting to allocate more memory than available, leading to a failure in memory allocation. The fix involves altering how the library manages memory allocation for large strings, thus preventing the MemoryError from being thrown and allowing the library to handle large strings correctly.
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542

Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Pycryptodome 3.20.0 addresses a vulnerability in the OAEP decryption process, which previously had a side-channel leakage issue. This vulnerability could potentially be exploited through a Manger attack, a type of cryptographic attack. The resolution of this issue enhances the security of the library, especially in its handling of OAEP decryption.
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd

Affected versions of the cbor2 package are vulnerable to Information Disclosure due to the CBORDecoder state being reused without clearing shareable values between decode operations. In cbor2, CBORDecoder.decode_from_bytes() and the CBORDecoder.fp setter (including the C extension _CBORDecoder_set_fp and the pure-Python cbor2/_decoder.py implementation) do not reset the internal shareables list that stores tag 28 (shareable) values for later retrieval via tag 29 (sharedref), allowing those references to persist across separate messages.

Cbor2 5.6.0 fixes  issue that was causing a MemoryError when decoding large definite strings. It was due to the library attempting to allocate more memory than available, leading to a failure in memory allocation. The fix involves altering how the library manages memory allocation for large strings, thus preventing the MemoryError from being thrown and allowing the library to handle large strings correctly.
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542

Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Pycryptodome 3.20.0 addresses a vulnerability in the OAEP decryption process, which previously had a side-channel leakage issue. This vulnerability could potentially be exploited through a Manger attack, a type of cryptographic attack. The resolution of this issue enhances the security of the library, especially in its handling of OAEP decryption.
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd

Affected versions of the cbor2 package are vulnerable to Information Disclosure due to the CBORDecoder state being reused without clearing shareable values between decode operations. In cbor2, CBORDecoder.decode_from_bytes() and the CBORDecoder.fp setter (including the C extension _CBORDecoder_set_fp and the pure-Python cbor2/_decoder.py implementation) do not reset the internal shareables list that stores tag 28 (shareable) values for later retrieval via tag 29 (sharedref), allowing those references to persist across separate messages.

Cbor2 5.6.0 fixes  issue that was causing a MemoryError when decoding large definite strings. It was due to the library attempting to allocate more memory than available, leading to a failure in memory allocation. The fix involves altering how the library manages memory allocation for large strings, thus preventing the MemoryError from being thrown and allowing the library to handle large strings correctly.
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542

Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Pycryptodome 3.20.0 addresses a vulnerability in the OAEP decryption process, which previously had a side-channel leakage issue. This vulnerability could potentially be exploited through a Manger attack, a type of cryptographic attack. The resolution of this issue enhances the security of the library, especially in its handling of OAEP decryption.
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd

Affected versions of the cbor2 package are vulnerable to Information Disclosure due to the CBORDecoder state being reused without clearing shareable values between decode operations. In cbor2, CBORDecoder.decode_from_bytes() and the CBORDecoder.fp setter (including the C extension _CBORDecoder_set_fp and the pure-Python cbor2/_decoder.py implementation) do not reset the internal shareables list that stores tag 28 (shareable) values for later retrieval via tag 29 (sharedref), allowing those references to persist across separate messages.

Cbor2 5.6.0 fixes  issue that was causing a MemoryError when decoding large definite strings. It was due to the library attempting to allocate more memory than available, leading to a failure in memory allocation. The fix involves altering how the library manages memory allocation for large strings, thus preventing the MemoryError from being thrown and allowing the library to handle large strings correctly.
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542

Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Pycryptodome 3.20.0 addresses a vulnerability in the OAEP decryption process, which previously had a side-channel leakage issue. This vulnerability could potentially be exploited through a Manger attack, a type of cryptographic attack. The resolution of this issue enhances the security of the library, especially in its handling of OAEP decryption.
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd

Affected versions of the cbor2 package are vulnerable to Information Disclosure due to the CBORDecoder state being reused without clearing shareable values between decode operations. In cbor2, CBORDecoder.decode_from_bytes() and the CBORDecoder.fp setter (including the C extension _CBORDecoder_set_fp and the pure-Python cbor2/_decoder.py implementation) do not reset the internal shareables list that stores tag 28 (shareable) values for later retrieval via tag 29 (sharedref), allowing those references to persist across separate messages.

Cbor2 5.6.0 fixes  issue that was causing a MemoryError when decoding large definite strings. It was due to the library attempting to allocate more memory than available, leading to a failure in memory allocation. The fix involves altering how the library manages memory allocation for large strings, thus preventing the MemoryError from being thrown and allowing the library to handle large strings correctly.
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542

Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to unbounded decompression of highly compressed HTTP request bodies when the HTTP parser auto_decompress feature is enabled.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive warning-level logging when parsing invalid Cookie headers. When server code accesses aiohttp.web_request.Request.cookies, the aiohttp._cookie_helpers.parse_cookie_header() function validates cookie names and can emit a log entry for each illegal cookie name, enabling a single request to generate a large number of warning logs.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive blocking CPU usage when processing a large number of HTTP chunked messages. When an aiohttp server endpoint calls request.read(), the chunked body handling performs costly per-chunk processing that can consume a moderate amount of blocking CPU time (for example, around one second) when the request contains an unusually large number of chunks.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size.

Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks.

Affected versions of the `aiohttp` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input on index pages for static file handling. The vulnerability exists because the `show_index` option, when enabled, allows unsanitized user input to be rendered directly into the HTML content of directory listings. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed, executes arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or data theft.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to relying on Python assert statements for malformed request handling, which are removed when interpreter optimizations are enabled. The aiohttp.web_request.Request.post() method can trigger an infinite loop in multipart POST body processing because assertions in multipart parsing paths, such as aiohttp.multipart.BodyPartReader.read_chunk() and _read_chunk_from_stream() are bypassed, preventing the code from enforcing an exit condition on invalid EOF and boundary states.

Affected versions of the aiohttp package are vulnerable to Information Disclosure due to static-file path normalisation enabling inference of absolute path component existence. In aiohttp, applications that register a static route via aiohttp.web.static() may expose filesystem path information because the static handler’s normalization and response behaviour lets a requester distinguish which absolute path components exist.

Affected versions of the aiohttp package are vulnerable to Request Smuggling due to Unicode digit matching in the Range header parser. In aiohttp.web_request.BaseRequest.http_range, the Range header is parsed with the regular expression ^bytes=(\d*)-(\d*)$ via re.findall(...) without restricting \d to ASCII, which allows non-ASCII decimal characters to be accepted as valid byte-range values.

Affected versions of the aiohttp package are vulnerable to Request Smuggling due to inconsistent Unicode processing of non-ASCII HTTP header values. In the pure-Python HTTP parser (used when the C extensions are not installed or when AIOHTTP_NO_EXTENSIONS is enabled), aiohttp.http_parser.parse_headers() and helpers such as _is_supported_upgrade() and HttpParser._is_chunked_te() apply .lower() to Upgrade, Transfer-Encoding, and Content-Encoding values without first enforcing ASCII-only input, allowing certain non-ASCII characters to be transformed during case-folding and creating parsing discrepancies.

Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions.

The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended.
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

Pycryptodome 3.20.0 addresses a vulnerability in the OAEP decryption process, which previously had a side-channel leakage issue. This vulnerability could potentially be exploited through a Manger attack, a type of cryptographic attack. The resolution of this issue enhances the security of the library, especially in its handling of OAEP decryption.
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd

Affected versions of the cbor2 package are vulnerable to Information Disclosure due to the CBORDecoder state being reused without clearing shareable values between decode operations. In cbor2, CBORDecoder.decode_from_bytes() and the CBORDecoder.fp setter (including the C extension _CBORDecoder_set_fp and the pure-Python cbor2/_decoder.py implementation) do not reset the internal shareables list that stores tag 28 (shareable) values for later retrieval via tag 29 (sharedref), allowing those references to persist across separate messages.

Cbor2 5.6.0 fixes  issue that was causing a MemoryError when decoding large definite strings. It was due to the library attempting to allocate more memory than available, leading to a failure in memory allocation. The fix involves altering how the library manages memory allocation for large strings, thus preventing the MemoryError from being thrown and allowing the library to handle large strings correctly.
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542

Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to unbounded decompression of highly compressed HTTP request bodies when the HTTP parser auto_decompress feature is enabled.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive warning-level logging when parsing invalid Cookie headers. When server code accesses aiohttp.web_request.Request.cookies, the aiohttp._cookie_helpers.parse_cookie_header() function validates cookie names and can emit a log entry for each illegal cookie name, enabling a single request to generate a large number of warning logs.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive blocking CPU usage when processing a large number of HTTP chunked messages. When an aiohttp server endpoint calls request.read(), the chunked body handling performs costly per-chunk processing that can consume a moderate amount of blocking CPU time (for example, around one second) when the request contains an unusually large number of chunks.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size.

Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks.

Affected versions of the `aiohttp` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input on index pages for static file handling. The vulnerability exists because the `show_index` option, when enabled, allows unsanitized user input to be rendered directly into the HTML content of directory listings. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed, executes arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or data theft.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to relying on Python assert statements for malformed request handling, which are removed when interpreter optimizations are enabled. The aiohttp.web_request.Request.post() method can trigger an infinite loop in multipart POST body processing because assertions in multipart parsing paths, such as aiohttp.multipart.BodyPartReader.read_chunk() and _read_chunk_from_stream() are bypassed, preventing the code from enforcing an exit condition on invalid EOF and boundary states.

Affected versions of the aiohttp package are vulnerable to Information Disclosure due to static-file path normalisation enabling inference of absolute path component existence. In aiohttp, applications that register a static route via aiohttp.web.static() may expose filesystem path information because the static handler’s normalization and response behaviour lets a requester distinguish which absolute path components exist.

Affected versions of the aiohttp package are vulnerable to Request Smuggling due to Unicode digit matching in the Range header parser. In aiohttp.web_request.BaseRequest.http_range, the Range header is parsed with the regular expression ^bytes=(\d*)-(\d*)$ via re.findall(...) without restricting \d to ASCII, which allows non-ASCII decimal characters to be accepted as valid byte-range values.

Affected versions of the aiohttp package are vulnerable to Request Smuggling due to inconsistent Unicode processing of non-ASCII HTTP header values. In the pure-Python HTTP parser (used when the C extensions are not installed or when AIOHTTP_NO_EXTENSIONS is enabled), aiohttp.http_parser.parse_headers() and helpers such as _is_supported_upgrade() and HttpParser._is_chunked_te() apply .lower() to Upgrade, Transfer-Encoding, and Content-Encoding values without first enforcing ASCII-only input, allowing certain non-ASCII characters to be transformed during case-folding and creating parsing discrepancies.

Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions.

The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended.
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

Pycryptodome 3.20.0 addresses a vulnerability in the OAEP decryption process, which previously had a side-channel leakage issue. This vulnerability could potentially be exploited through a Manger attack, a type of cryptographic attack. The resolution of this issue enhances the security of the library, especially in its handling of OAEP decryption.
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd

Affected versions of the cbor2 package are vulnerable to Information Disclosure due to the CBORDecoder state being reused without clearing shareable values between decode operations. In cbor2, CBORDecoder.decode_from_bytes() and the CBORDecoder.fp setter (including the C extension _CBORDecoder_set_fp and the pure-Python cbor2/_decoder.py implementation) do not reset the internal shareables list that stores tag 28 (shareable) values for later retrieval via tag 29 (sharedref), allowing those references to persist across separate messages.

Cbor2 5.6.0 fixes  issue that was causing a MemoryError when decoding large definite strings. It was due to the library attempting to allocate more memory than available, leading to a failure in memory allocation. The fix involves altering how the library manages memory allocation for large strings, thus preventing the MemoryError from being thrown and allowing the library to handle large strings correctly.
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542

Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to unbounded decompression of highly compressed HTTP request bodies when the HTTP parser auto_decompress feature is enabled.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive warning-level logging when parsing invalid Cookie headers. When server code accesses aiohttp.web_request.Request.cookies, the aiohttp._cookie_helpers.parse_cookie_header() function validates cookie names and can emit a log entry for each illegal cookie name, enabling a single request to generate a large number of warning logs.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive blocking CPU usage when processing a large number of HTTP chunked messages. When an aiohttp server endpoint calls request.read(), the chunked body handling performs costly per-chunk processing that can consume a moderate amount of blocking CPU time (for example, around one second) when the request contains an unusually large number of chunks.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size.

Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks.

Affected versions of the `aiohttp` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input on index pages for static file handling. The vulnerability exists because the `show_index` option, when enabled, allows unsanitized user input to be rendered directly into the HTML content of directory listings. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed, executes arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or data theft.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to relying on Python assert statements for malformed request handling, which are removed when interpreter optimizations are enabled. The aiohttp.web_request.Request.post() method can trigger an infinite loop in multipart POST body processing because assertions in multipart parsing paths, such as aiohttp.multipart.BodyPartReader.read_chunk() and _read_chunk_from_stream() are bypassed, preventing the code from enforcing an exit condition on invalid EOF and boundary states.

Affected versions of the aiohttp package are vulnerable to Information Disclosure due to static-file path normalisation enabling inference of absolute path component existence. In aiohttp, applications that register a static route via aiohttp.web.static() may expose filesystem path information because the static handler’s normalization and response behaviour lets a requester distinguish which absolute path components exist.

Affected versions of the aiohttp package are vulnerable to Request Smuggling due to Unicode digit matching in the Range header parser. In aiohttp.web_request.BaseRequest.http_range, the Range header is parsed with the regular expression ^bytes=(\d*)-(\d*)$ via re.findall(...) without restricting \d to ASCII, which allows non-ASCII decimal characters to be accepted as valid byte-range values.

Affected versions of the aiohttp package are vulnerable to Request Smuggling due to inconsistent Unicode processing of non-ASCII HTTP header values. In the pure-Python HTTP parser (used when the C extensions are not installed or when AIOHTTP_NO_EXTENSIONS is enabled), aiohttp.http_parser.parse_headers() and helpers such as _is_supported_upgrade() and HttpParser._is_chunked_te() apply .lower() to Upgrade, Transfer-Encoding, and Content-Encoding values without first enforcing ASCII-only input, allowing certain non-ASCII characters to be transformed during case-folding and creating parsing discrepancies.

Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions.

The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended.
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

Pycryptodome 3.20.0 addresses a vulnerability in the OAEP decryption process, which previously had a side-channel leakage issue. This vulnerability could potentially be exploited through a Manger attack, a type of cryptographic attack. The resolution of this issue enhances the security of the library, especially in its handling of OAEP decryption.
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to unbounded decompression of highly compressed HTTP request bodies when the HTTP parser auto_decompress feature is enabled.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive warning-level logging when parsing invalid Cookie headers. When server code accesses aiohttp.web_request.Request.cookies, the aiohttp._cookie_helpers.parse_cookie_header() function validates cookie names and can emit a log entry for each illegal cookie name, enabling a single request to generate a large number of warning logs.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to excessive blocking CPU usage when processing a large number of HTTP chunked messages. When an aiohttp server endpoint calls request.read(), the chunked body handling performs costly per-chunk processing that can consume a moderate amount of blocking CPU time (for example, around one second) when the request contains an unusually large number of chunks.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to improper enforcement of request size limits during multipart form parsing. The aiohttp aiohttp.web_request.Request.post() method in aiohttp/web_request.py iterates over multipart fields but (prior to the fix) resets its running byte counter per part rather than tracking the total size of the entire multipart form, allowing the aggregate payload to grow without being bounded by client_max_size.

Affected versions of aiohttp are vulnerable to HTTP Request Smuggling (CWE-444). This vulnerability allows attackers to inject malicious HTTP messages by including line feeds (LF) in chunk extensions, potentially bypassing security controls and executing unauthorized actions. The attack vector involves sending specially crafted chunked HTTP requests to exploit the improper parsing in the HttpPayloadParser class. To mitigate, upgrade to aiohttp version which validates chunk extensions by rejecting any containing unexpected LFs, thereby preventing request smuggling attacks.

Affected versions of the `aiohttp` package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user input on index pages for static file handling. The vulnerability exists because the `show_index` option, when enabled, allows unsanitized user input to be rendered directly into the HTML content of directory listings. An attacker can exploit this vulnerability by crafting a malicious URL that, when accessed, executes arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or data theft.

Affected versions of the aiohttp package are vulnerable to Denial of Service (DoS) due to relying on Python assert statements for malformed request handling, which are removed when interpreter optimizations are enabled. The aiohttp.web_request.Request.post() method can trigger an infinite loop in multipart POST body processing because assertions in multipart parsing paths, such as aiohttp.multipart.BodyPartReader.read_chunk() and _read_chunk_from_stream() are bypassed, preventing the code from enforcing an exit condition on invalid EOF and boundary states.

Affected versions of the aiohttp package are vulnerable to Information Disclosure due to static-file path normalisation enabling inference of absolute path component existence. In aiohttp, applications that register a static route via aiohttp.web.static() may expose filesystem path information because the static handler’s normalization and response behaviour lets a requester distinguish which absolute path components exist.

Affected versions of the aiohttp package are vulnerable to Request Smuggling due to Unicode digit matching in the Range header parser. In aiohttp.web_request.BaseRequest.http_range, the Range header is parsed with the regular expression ^bytes=(\d*)-(\d*)$ via re.findall(...) without restricting \d to ASCII, which allows non-ASCII decimal characters to be accepted as valid byte-range values.

Affected versions of the aiohttp package are vulnerable to Request Smuggling due to inconsistent Unicode processing of non-ASCII HTTP header values. In the pure-Python HTTP parser (used when the C extensions are not installed or when AIOHTTP_NO_EXTENSIONS is enabled), aiohttp.http_parser.parse_headers() and helpers such as _is_supported_upgrade() and HttpParser._is_chunked_te() apply .lower() to Upgrade, Transfer-Encoding, and Content-Encoding values without first enforcing ASCII-only input, allowing certain non-ASCII characters to be transformed during case-folding and creating parsing discrepancies.

Affected versions of `aiohttp` are vulnerable to an infinite loop condition. This occurs when an attacker sends a specially crafted POST (multipart/form-data) request. Upon processing, the `aiohttp` server enters an infinite loop, preventing it from processing further requests. This results in a denial-of-service (DoS) attack, allowing an attacker to stop the application from serving requests after a single request. Users are advised to upgrade to version 3.9.4 or manually apply a patch to their systems as per the linked GHSA instructions.

The vulnerability lies in the improper configuration of static resource resolution when aiohttp is used as a web server. It occurs when the follow_symlinks option is enabled without proper validation, leading to directory traversal vulnerabilities. Unauthorized access to arbitrary files on the system could potentially occur. The affected versions are >1.0.5, and the issue was patched in version 3.9.2. As a workaround, it is advised to disable the follow_symlinks option outside of a restricted local development environment, especially in a server accepting requests from remote users. Using a reverse proxy server to handle static resources is also recommended.
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

Pycryptodome 3.20.0 addresses a vulnerability in the OAEP decryption process, which previously had a side-channel leakage issue. This vulnerability could potentially be exploited through a Manger attack, a type of cryptographic attack. The resolution of this issue enhances the security of the library, especially in its handling of OAEP decryption.
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd

Affected versions of the cbor2 package are vulnerable to Information Disclosure due to the CBORDecoder state being reused without clearing shareable values between decode operations. In cbor2, CBORDecoder.decode_from_bytes() and the CBORDecoder.fp setter (including the C extension _CBORDecoder_set_fp and the pure-Python cbor2/_decoder.py implementation) do not reset the internal shareables list that stores tag 28 (shareable) values for later retrieval via tag 29 (sharedref), allowing those references to persist across separate messages.

Cbor2 5.6.0 fixes  issue that was causing a MemoryError when decoding large definite strings. It was due to the library attempting to allocate more memory than available, leading to a failure in memory allocation. The fix involves altering how the library manages memory allocation for large strings, thus preventing the MemoryError from being thrown and allowing the library to handle large strings correctly.
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542

Affected versions of Cbor2 are vulnerable to Buffer Overflow. An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Pycryptodome 3.20.0 addresses a vulnerability in the OAEP decryption process, which previously had a side-channel leakage issue. This vulnerability could potentially be exploited through a Manger attack, a type of cryptographic attack. The resolution of this issue enhances the security of the library, especially in its handling of OAEP decryption.
https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd